[Samba] Samba4 member of an another « Samba4 » domain

steve steve at steve-ss.com
Sun Apr 14 00:00:27 MDT 2013

On 14/04/13 01:37, François Lafont wrote:
> Hello,
> Le 13/04/2013 20:24, steve a écrit :
>> You still have to add the objects. Yourself!
> Ok, if I understand, after a provision of a domain with samba-tool and the "--use-rfc2307" option, samba4 can support posixaccount etc. in its database, but I have to add the object class and the mandatory attributes myself.
It can do that whether you provision with --use-rfc2307 or not. I 
believe that it adds the possibility of adding the uid:gid from windows. 
I've never used windows for this.
> But, after this:
> -------------------------------------------
> samba-tool domain provision --realm=CHEZMOI.PRIV --domain=CHEZMOI \
>      --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass='+toto123' \
>      --use-rfc2307
> ln -s /usr/local/samba/lib/libnss_winbind.so /lib/libnss_winbind.so
> ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2
> # I had winbind in nsswitch.conf
> sed -i -r -e 's/^(passwd:.*)$/\1 winbind/g' -e 's/^(group:.*)$/\1 winbind/g' /etc/nsswitch.conf
> samba
> -------------------------------------------
> I have a few users and groups which are already created:
> # wbinfo -u
> Administrator
> Guest
> krbtgt
> # wbinfo -g
> Enterprise Read-Only Domain Controllers
> Domain Admins
> Domain Users
> Domain Guests
> Domain Computers
> Domain Controllers
> Schema Admins
> Enterprise Admins
> Group Policy Creator Owners
> Read-Only Domain Controllers
> DnsUpdateProxy
> Must I add "objectclass: posixAccount", "uid:...", uidNumber:..." etc. entries for each account above?
> And must I add "objetclass: posixGroup", "gidNumber: ..." etc. entries for each group above?
If you want to pull uid:gid from AD then you'll need to add uidNumber 
and gidNumber for users and gidNumber for groups. All users which need 
to login will need the attributes but there's no need to allocate 
gidNumber to al the groups. Many of them have no meaning in Linux. e.g. 
To begin with, just allocate a gidNumber to Domain Users. A good way to 
decide which gidNumber to allocate is to take the RID of the group and 
add, say, 20000 to keep it well away from local groups. As the RID of 
Domain Users is 513 then our gidNumber becomes 20513.

For users, we allocated our first user uidNumber 3000032 to avoid 
collision with the xidnumbers which have to remain in idmap. Each 
subsequent user increments this value. It's tedious doing this by hand 
but easy to create an ldif which contains the values to add as and when 
a new user is created.
> Which uid/gid numbers should I use?
> Without "posixAccount" "uid" "uidNumber" etc. entries, the domain accounts are automatically already allied to a uid number that I can see with "getent passwd":
> # getent passwd Guest
> CHEZMOI\Guest:*:3000011:3000012::/home/CHEZMOI/Guest:/bin/false
> uid=3000011 although I have done no change in the Guest account.oming from /ur/
Those uid:gid pairs are coming from idmap. idmap is not part of AD and 
confuses the issue for many of us. If you are going to add more DC's, 
these uid:gid's  will change depending upon which DC you refer to. 
Probably (almost certainly) not what you want.
> How choose Samba these uid/gid numbers (e.g 3000011/3000012) and how can I choose my uid/gid numbers in order that there is never conflict with uid/gid choose automatically by Samba?
That is best answered by looking at:
ldbsearch --url=/usr/local/samba/private/idmap.ldb
There, you'll see the sids with the xidnumber that Samba has allocated 
to them. This xidnumber becomes the uid or gid depending upon whether 
the object is a user, group or both. A basic set of objects has to 
remain in idmap so leave it as it is after provision. If you add the 
line idmap_ldb:use rfc2307 = Yes to smb.conf (which I believe the 
provision has already done for you) then any new user or group object 
that is created will not have an entry in idmap. You are then free to 
add the necessary uid/gidNumbers to AD.
> Another problem: just after provision, the /usr/local/samba/var/locks/sysvol/ repository is already created with particulary settings regarding the unix rights and the alc (with particulary uid/gid numbers). Must I change the (unix/acl) rights of this repository too ?
>> There's another thread
>> here at the moment about how or how not to do that.
Some of us have given up on winbind for idmapping. There are easier ways 
to get rfc2307 from the database which keep the uid:gid consistent 
independent of which DC is consulted. nss-ldapd is one of them and sssd 
seems to be gaining ground because of its simplicity. I'm a strong 
believer in keeping things as simple as possible. Because of this I 
believe that rfc2307 stuff should always be sourced from AD and we 
should not use an external idmap
> Where? I don't see it. Personally, I never succeed in the "rfc2307" working, until now.
> My purpose is to have the same uid/gid numbers between 2 samba4 servers.
Sorry, I can't access the list archive at the moment. The thread is 
called 'Some clarification?'

More information about the samba mailing list